This guide explains how to integrate Keycloak as an Identity Provider (IdP) with Humand as a Service Provider (SP) using the SAML 2.0 protocol. 

By completing this configuration, your users will be able to authenticate into Humand using their existing Keycloak credentials through Single Sign-On (SSO). 

This guide is intended for IT administrators and system integrators with access to both the Keycloak admin console and the Humand admin or support interface.

Prerequisites

• Keycloak admin access.
• Humand Client INSTANCE_ID (Provided by your Humand Account Manager/ Onboarding Leader)
   

Creating the Keycloak client

Now that you have the SP information, you must create a new Keycloak client and enter that information during the creation process.

1. Sign in to your Keycloak Administration Console.
2. Click Clients > Create.

3. Client ID > https://api-prod.humand.co/api/v1/sso-saml 

4. Client Protocol > SAML 

5. Client SAML Endpoint > https://api-prod.humand.co/api/v1/sso-saml/callback?to=INSTANCE_ID 

6. Save.

Downloading the Keycloak Metadata -XML Format

1. Go to Realms.

2. Click on SAML 2.0 Identity Provider Metadata. 

3. Download the Metadata and send it to your Humand Account Manager/Onboarding Leader, cc’ing help@humand.co - Subject: Organization Name l INSTANCE_ID l Metadata.
 

Final Considerations

• When configuring Keycloak, make sure to assign the necessary users or groups to the Humand SAML client. If no users are assigned, the login will not work even if the SAML configuration is correct.
• Always remember that the NameID has to match what Humand expects, which is the employeeInternalId used as the login identifier
• If you require further support, please contact help@humand.co - Subject: Organization Name l INSTANCE_ID l SSO Configuration Support